At the Defcon security conference on August 2007, a hacker and Defcon staffer who goes by the name Zac Franken, showed how a small homemade device he calls "Gecko", which can perform a hack on the type of access card readers used on office doors throughout the country.
Are You Protected by a Piece of Plastic and Two Screws? Wiegand Had Its Day! Borer All-in-One Solution, will Ensure Your Data is Secure Borer White Paper - October 2007 Introduction to Wiegand The majority of cards and biometric readers in access control systems use a Wiegand interface to transmit data read from a card to a control panel. The control panel will then validate the date received and grant/deny access. Often people in the Access Control Industry accept the Wiegand interface as a standard. Wiegand is not a standard as there is no formal definition, ratified by ISO or the IEEE, of the Wiegand Interface against which manufacturers can measure the performance of their equipment. Wiegand is more of an informal working convention, which has allowed the manufacturers of card and biometric readers using a variety of reading technologies to connect their products to control panels produced by system integrators. Originally Wiegand referred to a card reader technology consisting of a plastic card with two rows of metallic wire bars, which when a bar passed in front of a magnetic field and sensor circuit, generated a small electronic current. The means by which this signal was passed to a control panel, the Wiegand interface, has since become a convenient convention for the transmission for data for the majority of card and biometric readers. Wiegand Explained Wiegand is a three wire electrical interface first employed in the 1970's and still being used today by a majority of card reader manufacturers, which is designed to enable a card reader made by one manufacturer to pass data, read from a card to a control panel produced by a different manufacturer. It consists of three wires called "Data-0", "Data-1" and "Ground". A short pulse on the "Data-0" represents a binary "0" while a pulse of the "Data-1" represents a binary "1". The picture below is a graphical representation of a Wiegand data stream for the binary value "01101". Each dip in the line represents a change from 5V to 0V, thus communicating the bit value.
Page 1 of 6 Borer White Paper - Wiegand Security Compromised Wiegand data format is represented by the total bit count and the distribution of data fields on a card. The figure below illustrates the use of 26-bit Wiegand, the most commonly used Wiegand data format.
This Wiegand format consists of a parity bit, 8-bit facility code, 16-bit user ID, and parity bit, for a total of 26 (1+8+16+1=26) bits. With this basic understanding of how to translate the information in the 26-bit Wiegand format, you can apply a similar convention to decode the data in any other data format passed over a Wiegand interface. Once you know the distribution of the data fields, you can extract the facility code and user ID fields.
Typical Solution using a Wiegand Reader Physical connection between reader head and controller. Vulnerable to attack.
Page 2 of 6 Borer White Paper - Wiegand Security Compromised Wiegand has been Compromised At the Defcon security conference on August 2007, a hacker and Defcon staffer who goes by the name Zac Franken, showed how a small homemade device he calls "Gecko", which can perform a hack on the type of access card readers used on office doors throughout the country. "Gecko" is simply a small, programmable PIC chip with a wire connector on either side. Once it's connected to the wires behind the card reader, it's not only trivial to use a 'Replay' card to get through the door, but you can also disable the system so that nobody else can come in behind you. What's more, making a "Gecko" is easy and cheap. Franken says the hardware costs about $10 (£5). According to Franken, the hack subverts the Wiegand protocol, commonly used for communication between the card reader and the back-end access control system, and doesn't take direct advantage of any problems with any of the hardware involved. When you swipe your card at the office door, the reader sends a signal using the Wiegand protocol to the control panel, which once the card has been validated, opens the doors. Franken's demonstration showed how to hack into a card access reader by: . Popping the card access reader's plastic cover (most card readers used in access control applications do not have tamper protection); . Undoing two retention screws and exposing the electrical cable which connects the card reader to the control panel; . Introducing a miniature circui... [download for more]
